A New Backdoor Around the Fourth Amendment: The CLOUD Act

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is stored.

This backdoor is an insidious method for accessing our emails, our chat logs, our online videos and photos, and our private moments shared online between one another. This backdoor would deny us meaningful judicial review and the privacy protections embedded in our Constitution.

This new backdoor for cross-border data mirrors another backdoor under Section 702 of the FISA Amendments Act, an invasive NSA surveillance authority for foreign intelligence gathering. That law, recently reauthorized and expanded by Congress for another six years, gives U.S. intelligence agencies, including the NSA, FBI, and CIA, the ability to search, read, and share our private electronic messages without first obtaining a warrant.

The new backdoor in the CLOUD Act operates much in the same way. U.S. police could obtain Americans’ data, and use it against them, without complying with the Fourth Amendment.

The CLOUD Act (S. 2383 and H.R. 4943) has two major components. First, it empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules. Second, it empowers the president to unilaterally enter executive agreements with any nation on earth, even known human rights abusers. Under such executive agreements, foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.

That latter component is where the CLOUD Act’s backdoor lives.

When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.

Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.

Once the foreign police have collected Americans’ data, they often will be able to hand it over to U.S. law enforcement, which can use it to investigate Americans, and ultimately to bring criminal charges against them in the United States.

According to the bill, foreign police can share the content of a U.S person’s communications with U.S. authorities so long as it “relates to significant harm, or the threat thereof, to the United States or United States persons.” This nebulous standard is vague and overbroad. Also, the bill’s hypotheticals indicate far-ranging data sharing by foreign police with U.S. authorities. From national security to violent crime, from organized crime to financial fraud, the CLOUD Act permits it all to be shared, and likely far more.

Moreover, the CLOUD Act allows the foreign police who collect Americans’ communications to freely use that content against Americans, and to freely share it with additional nations.

To review: The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans’ communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. government can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probable cause be shown. At no point need a search warrant be obtained.

This is wrong. Much like the infamous backdoor search loophole connected to broad, unconstitutional NSA surveillance under Section 702, the backdoor proposed in the CLOUD Act violates our Fourth Amendment right to privacy by granting unconstitutional access to our private lives online.

Also, when foreign police using their CLOUD Act powers inevitably capture metadata about Americans, they can freely share it with the U.S. government, without even showing “significant harm.” Communications “content” is the words in an email or online chat, the recordings of an internet voice call, or the moving images and coordinating audio of a video call online. Communications “metadata” is the pieces of information that relate to a message, including when it was sent, who sent it, who received it, its duration, and where the sender was located when sending it. Metadata is enormously powerful information and should be treated with the same protection as content.

To be clear: the CLOUD Act fails to provide any limits on foreign police sharing Americans’ metadata with U.S. police.

The CLOUD Act would be a dangerous overreach into our data. It seeks to streamline cross-border police investigations, but it tears away critical privacy protections to attain that goal. This is not a fair trade. It is a new backdoor search loophole around the Fourth Amendment.

Spanish version San Francisco—The Electronic Frontier Foundation (EFF) and more than 70 human and digital rights groups called on Mark Zuckerberg today to add real transparency and accountability to Facebook’s content removal process. Specifically, the groups demand that Facebook clearly explain how much content it removes, both rightly...

On Friday, November 9, 2018, EFF submitted a letter in response to the U.S. Department of Commerce's request for comment on "Developing the Administration's Approach to Consumer Privacy," urging the agency to consider any future policy proposals in a users' rights framework. We emphasized five concrete recommendations for any...

San Francisco—The Electronic Frontier Foundation (EFF) launched a virtual reality (VR) experience on its website today that teaches people how to spot and understand the surveillance technologies police are increasingly using to spy on communities.“We are living in an age of surveillance, where hard-to-spot cameras capture our faces and...

Google Chrome is the most popular browser in the world. Chrome routinely leads the pack in features for security and usability, most recently helping to drive the adoption of HTTPS. But when it comes to privacy, specifically protecting users from tracking, most of its rivals leave it in the...

Two individuals with no criminal record—one of whom is a retired California Highway Patrol officer—are asking a California Superior Court why their phones were tapped in 2015. These are just two targets of hundreds of questionable wiretaps authorized by a single judge, Helios J. Hernandez, in Riverside County. EFF and...

Legislators across the country are writingnewlaws to protect your data privacy. One tool in the toolbox could be “information fiduciary” rules. The basic idea is this: When you give your personal information to an online company in order to get a service, that company should...

San Bernardino, California—The Electronic Frontier Foundation (EFF) sued the San Bernardino County Sheriff’s Department today to gain access to records about search warrants where cell-site simulators, devices that allow police to locate and track people by tricking their cell phones into a connection, were authorized in criminal investigations.EFF...

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to...

Your strong support helped us persuade California’s lawmakers to do the right thing on many important technology bills debated on the chamber floors this year. With your help, EFF won an unprecedented number of victories, supporting good bills and stopping those that would have hurt innovation and digital freedoms. Here’s...